Español | English
rss facebook linkedin Twitter


ATM malware is clearly a hot topic and a big concern nowadays for the banking industry. Our experience in this field, backed by recent incidents, shows that this rapidly growing threat is severely hitting ATM infrastructures worldwide. A recent report from Europol and TrendMicro shows also highligts that ATM malware is on the rise.

The latest reported victim of an ATM malware attack has been the Government Savings Bank, a state-owned Thai bank based in Bangkok. The attack targeted 21 ATMs, allowing the criminals to steal a total of 350.000$ in cash. Furthermore, the attack obliged the bank to deactivate 3.300 ATMs, half of its network, in order to investigate whether they were infected and, in that case, to clean them.

The attackers were able to breach the financial institution’s internal network, then moving laterally and compromising the software distribution system, which was used to push the malware to multiple ATMs. Once installed on the ATMs, the malware dubbed “RIPPER” was used to “jackpot” them.
The modus operandi of these attacks unveils a combination of sophisticated hacking techniques, deep knowledge of the bank’s internal infrastructure and ATM operations, and the use of cutting-edge ATM malware.

Although the attack has been reported in Thailand, it is highly probable that it has or will hit other countries or regions, and it actually resembles the Carbanak attack that shocked the industry in 2015 (see our blog post).

ATM Jackpotting using RIPPER Malware

ATM jackpotting, or the use of malware to “cash-out” ATMs, is nowadays one of the trendiest ATM cybercrime tactics. It is used by the criminals to gain full control of the ATM hardware devices like dispenser, card reader and pinpad, allowing them to steal huge amounts of money in cash without having to use a credit or debit card.

Although jackpotting is nothing new, and there are many well-known malware families using similar techniques (Tyupkin, Suceful, Greendispenser…), the attacks in Thailand seem to be using a new generation of malware dubbed “RIPPER”.

Security in Joomla: yes, we can!

Joomla! is one of the most popular Content Management Systems (CMS) used to build websites, together with other CMS such as Wordpress, Drupal and Magento. This makes the life of hackers looking to compromise websites much easier, as they can simply concentrate on exploiting vulnerabilities in it, or in one of its popular plugins and extensions.

Based on the reports by the Securi’s Incident Response Team and Malware Research Team, Joomla! sites are usually hacked for SEO spam, drive-by-download infections, exploit or DDoS tools and phishing. In over two-thirds of cases, the cleaning team found backdoors in the websites – the attackers want to make sure that they will be able to get back in if web administrators attempt to clean up the site.

There is much controversy about the security of Joomla! On the one hand, some people opine that, as Joomla is a free CMS and uses third party extensions, it is clearly vulnerable but, on the other hand, a great part of the Joomla! community uphold its CMS as one of the most secure due to the overall security staff continuously checks the problems reported by the own Joomla! community.

In this article, some tips are given to improve the security of a website built by Joomla.


Keep the server updated

The server where Joomla! is installed must be updated to the last stable versions of PHP and MySQL, but having in mind the technical requirements recommended by Joomla! for the CMS version which is installed… that should be the latest!


Configure PHP properly

It is highly recommended to configure properly some PHP directives. They are the following:


Don't give clues about the database

Everybody knows the table names of the databases in Joomla! and the subsequent structures. But what nobody should know is the prefixes of “your” tables. Don’t use as prefix anything that identifies your website. It is better to use a prefix of 3 random characters, starting with a letter.


Avoid using typical usernames and passwords

Avoid using usernames and passwords such as admin, joomla, etc. Protect the Superadmin user with a password (at least of 6 characters long) which combines letters and numbers in a not obvious way.


Install only what is in JED

JED stands for Joomla! Extensions Directory, and it is the official directory for Joomla components, modules and plugins. Different components available in JED are tested by the security staff. Install only these components. You will feel well… and so your website!


I’m not Joomla! 

Many bots and other automatic tools usually scan the Internet looking for websites built with Joomla! to attach them. Try to delete in the source code any reference to Joomla! to reduce the attacks.


You are not useful. Go away! 

Delete from the server everything that you don’t needed. Third-party extensions or languages that are not going to be used, files, etc ... It is a very common practice to install components in the development step that, afterwards, they are not used in production. So, go away!


“Configuration.php” in the VIP Lounge

Move the “configuration.php” file outside the public part in the server, that is, it is not accessible via URL. This is the most sensitive file of Joomla!, as it contains critical information about the database, the FTP, the file structure…

Permissions 755 for folders and 644 for files

Once the website is properly configured and is stable, you must set the permissions for folders and files, protecting them against writing. The best choice, whenever is possible, is to set 755 for folders and 644 for files.


We are people, not machines

Include a captcha in all the forms of the website. So, you will avoid automated and massive attacks through these forms.


Secure, secure and secure all that you can

Add all the extra security in the Apache configuration file (through a .htacess file). Some examples are the following:

# Protect the own .htaccess file
order allow,deny
deny from all

# Protect the configuration.php file
Order allow,deny
Deny from all

# Avoid the execution of scripts into the “images” folder
Order Allow,Deny
Deny from all

# Hide the folders structure
Options All -Indexes

Reverse engineering Gootkit

Gootkit - in some places also referred to as Xswkit - is a banking malware written almost entirely in javascript. In this blog post we will go through on reverse engineering the malware to an extent where we are able to decrypt its webinject configuration file. That's being said, the file which contains further instructions about its targets and about how to attack them.

Gootkit comes to an infected machine by a relatively small loader - a Windows executable - which after performing virtual machine detection will download the Node.js engine bound with malware code. This part of the malware is quite heavy, almost reaches 5Mb in size. The javascript code inside is well hidden and encrypted with RC4 algorithm. So let's kick off the analysis with one of these loader samples (MD5 b29089669c444cbdb62d89bf0e3c9ef8).

After successfully unpacking we should be standing at the original entry point at address 4040C7:

Next what we spot is an Aplib decompression routine. Note the magic header check of the DWORD 'AP32' in little-endian order:

Placing a breakpoint at this address and dumping the content of the decompressed buffer, we find another tiny embedded executable which later on will be injected into explorer.exe. This binary indeed contains suspicious strings regarding to VM detection:

Interesting fact about this, that it can be controlled by an environment variable. The malware authors must have reserved this feature for themselves for testing purposes but we can benefit from it too:

What we see here is checking the presence of the environment variable "crackme", then a checksum of its value is calculated and if it matches a certain value it would skip VM detection. The checksum is a variant of the well known CRC32 algorithm. It did not take long to crack it, 'aHzkxc' is a value that Gootkit gladly accepts.

The malware uses hardcoded User-Agent which is checked by the C&C server. The URLs where further payloads are downloaded from:

  • hxxps:// (its purpose is not yet known)
  • hxxps:// (may be persistence module)
  • hxxps:// (core)

It uses HTTPS connection over port 80 to communicate. These payloads are decompressed with the API RtlDecompressBuffer.

Next we turn our attention on the decompressed DLL 'rbody32' (MD5 d17f99eab2d8c6f3eb7b7f25b7631976) which is around 5Mb! in size, due to being linked with the Node.js engine. We can observe various references to somethings that look like embedded javascript files:

These records contain offset and size information about each individual script file. You can find the complete list of the embedded script files below in the table. Their names give us a pretty good guess about what each one does:


As a courtesy, you can download these files from GitHub.

One thing to note is that in these scripts we can often find function calls that are OS dependent and do not form part of the native Node.js engine, such like Windows registry manipulation, process injection, or hooking which is vital for a today's banking malware in order to deceive the web-browser. So, those functions have been implemented in C++ and have been exported through an interface, made them available for use in javascript.

Okay, straight to the point. Where are the webinjects stored?

In 'client_proto_spyware.js' we can find reference to a registry key:

Checking that registry key we can see encrypted binary content:

Tracking this value in the scripts, we find references to a magical function called 'encryptDecrypt()'. However we cannot seem to find where it is actually implemented. Of course, remember: some parts of the malware are still implemented in C++. Looking at rbody32 we can spot the decryption routine which turns out to be a rather simple XOR with some division and multiplication:

Here at S21sec we have collected numerous samples of Gootkit, and what we have observed is that the most affected countries of this threat are France and Italy, targeting among others Societe Generale, Banque Populaire, Le Credit Lyonnais, BNP Paribas, BTP Banque, Credit Cooperatif, Inbank, Banca Popolare di Milano, Credito Valtellinese, BPER Gruppo, Credem, 
Instituto Centrale delle Banche Poplari Italiane, Raiffeisen, Banca Poplare di Ancona, Banca Mediolanum, Intensa San Paolo, Banca Comerciala Romana, Chase, SwedBank, ...

Sonae IM and S21sec strengthen their position in the European cybersecurity market through the acquisition of SysValue.

The acquisition means that Sonae Investment Management (IM) now holds the leading position in Portugal, as the largest pure play cybersecurity entity, and is able to leverage significant synergies between Grupo S21sec Gestión and SysValue.

Sonae Investment Management (IM) has today confirmed its acquisition of SysValue, a cybersecurity services company with key strengths in Auditing, Consulting, Integration, Training and R&D, and a distinctive presence in the Telecom, Financial Services, Energy and Government sectors.

This acquisition, following the Grupo S21sec, transaction in September of 2014, is yet another important milestone in the execution of Sonae IM´s European cybersecurity market leadership and international expansion strategy. More specifically, the company now establishes itself as the clear pure play leader in the Portuguese market.

According to Carlos Alberto Silva, Board Member at Sonae IM, “We are proud of this latest development to strengthen our cybersecurity portfolio, as we believe there is a clear market opportunity for a focused player that has the added benefit of scale. SysValue represents a significant asset to us in Portugal and also at a wider regional level. We will continue seeking organic and inorganic growth opportunities.

João Barreto, Founder and Chairman of the Board of SysValue, echoes these sentiments, “Becoming part of Sonae IM’s cybersecurity strategy is the result of 14 years of dedication to information security and teaming up with S21sec is an opportunity to elevate the delivery of cybersecurity services to unparalleled levels of expertise and sophistication. A broader service offering, the go-to-market of SysValue’s R&D initiatives and the delivery of services internationally will be immediate benefits stemming from this deal.

The integration of SysValue into Sonae IM´s portfolio will also allow the extraction of significant synergies involving the pooling of knowledge and expertise in Technical Delivery and R&D resources, establishment of common back-office structures, alignment of go-to-market strategies, consolidation of positions in key accounts and plenty of cross-selling opportunities.

When thinking about the synergies, Pedro Leite, Chief Delivery Officer and VP Portugal at S21sec, says, “With the acquisition of SysValue, we strengthen our position in the Portuguese market with a team of highly specialized and experienced cybersecurity professionals. As the country´s market leader, we want to contribute to the development of the cybersecurity sector in Portugal and we believe that we have the right team to make it happen.

Sonae IM will be able to further leverage its portfolio companies´ Government sector relationships and activities to reinforce its proactive EU strategy to strengthen the region´s robustness and preparedness when facing cybersecurity incidents. Through S21sec, Sonae IM has the Presidency of the European Cybersecurity Group (ESCG), an alliance of 5 leading European pure play companies.



Yesterday we saw how Europol published a press release announcing the detention of approximately 700 muleteers all over Europe last February.

These are key operations as they directly affect monetizing of fraud and require participation by international banks, police, security corps and companies for them to take place.

We have been investigating the use of mules in bank frauds since the 21st century, more specifically the operation of bank malware that calls itself ATS. This abbreviation corresponds to the term, Automated Transfer System, and its aim is to act as an automated interface to connect bank Trojans to muleteers captured by the "mule herder.

 interior de un ATS mostrando las conexiones provenientes de la Botnet

Although this has been a very popular attack in recent years, it is in no way new as we have internal records of its use since at least 2011. The fraud process generally consists of the following steps:

1. The user is infected by malware. This normally occurs through a social engineering attack received by mail or during involuntary browsing of an infected web page with an exploit kit.

2. The infected user enters the legal web page of its normal bank and is deceived by the use of social engineering.

3. The deceived user makes the transfer. The malware then connects to the ATS panel which, according to user data, selects a muleteer out of those it has captured to perform the transaction.

4. After performing the transfer, the malware can act in different ways as determined by the cybercriminal: self-elimination, eliminate the operating system or continue as if nothing had happened, falsifying data visible to the user itself.

The graph below shows a general outline of the process.

One of the tasks performed on a daily basis in the department when investigating and analyzing botnets is to check whether the associated malware is able to perform attacks using ATS.

As a result of these analyses, we detected over 150 or so different mules in 2015, prepared to receive transfers made by infected users. The main malware families using these mules were kins, tinba, xswit, pykbot, urlzone and dridex. 

An example of this can be seen below in the location of the muleteers used by tinba botnets.

For us, it is a real challenge to share our work and cooperate with the police and government security companies to try and neutralize and capture all those involved in these fraud schemes, so we are proud to see press releases like the one shown by Europol.

Today, we can be pleased with the work we have done and tomorrow, we will have to detect the 700 mule accounts that are no doubt already being prepared.

(+34 902 222 521)

24 hours a day, 7 days a week

© Copyright S21sec 2013 - All rights reserved